Find your solution!

ihatepopups · 05-Dec-2004, 08:45 PM #1

Hi guys, wonder if you could help me with this problem I'm having with continuous popups. I've run hijackthis and the only results that are out of the ordinary are these:

01 - Hosts: 69.20.16.183 auto.search.msn.com
01 - Hosts: 69.20.16.183 search.netscape.com
01 - Hosts: 69.20.16.183 ieautosearch

I've tried removing them with hijackthis but as soon as its "fixed" I rescan and they are back. I've tried the advice of this link http://www.ozzu.com/ftopic29754.html to no avail. If anyone has any ideas to cure this I'd really appreciate it as currently this problem is driving me crazy!

Have also looked in the processes list but nothing seems out of the ordinary, ditto the startup list.

Many thanks in advance!

iHATEpopups.

MFDnNC · 05-Dec-2004, 08:47 PM #2

Do a couple online scans from this list http://forums.techguy.org/t110854.html

get and run CWShredder http://www.intermute.com/spysubtract..._download.html
Close all browser windows, open cwshredder.exe then click "Fix" and let
it run.

SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their

definition updates and then run AdAware and Spybot, fixing anything

they say.

Do these before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html,
put it in a permanent folder, run it , DO NOT fix anything, post the log
here. Logs are tricky and you need a lot of experience to figure them out.

ihatepopups · 11:14 PM

Trend Micro found 13 non-cleanable entries which were all deleted.

CWS kept freezing after trying to scan the 2nd item on it's list, after restarting CWS, it mentioned that the coolwebsearch trojan was trying to shut it down, I tried restarting the scan a few times and it froze each time despite CWS trying to rename itself..? All I could get was the scan report below:

CWShredder v2.0. scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.

System Information:
Windows XP (5.01.2600 SP2)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\A1A\Application Data
Username: A1A

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (1204 bytes, -)
Hosts file: 69.20.16.183 auto.search.msn.com
Hosts file: 69.20.16.183 search.netscape.com
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\SYSTEM32\Userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (528 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, -)

- END OF REPORT -

AdAware found 37 items, IBIS toolbar, various tracking cookies etc. All removed currently..

Spybot found;

IGetNet, 1 entry
Redirected host
ieautosearch=69.20.16.183

Common hijacker, 2 entries
Redirected host
search.netscape.com=69.20.16.183

Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Bootconf, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Loadbat, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Msconfd, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Oslogo, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Tapicfg, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Xmlmimefilter, 1 entry
Redirected host
auto.search.msn.com=69.20.16.183

According to SpyBot, IGetNet and Common hijacker were fixed, the other items were not.

HijackThis Log

Logfile of HijackThis v1.98.2
Scan saved at 04:12:44, on 06/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: RAinit.dll

Any help with this would be very much appreciated!

iHATEpopups.

MFDnNC · 05-Dec-2004, 11:33 PM #4

I'll try to get someone who knows more about this to look at it!

ihatepopups · 06-Dec-2004, 08:46 AM #5

Many thanks, Much appreciated.

iHATEpopups.

**Rollin' Rog** · 06-Dec-2004, 11:29 AM #6

This is a new variant of the VX2 wares which requires some special tools to diagnose. Since no one else has taken this I guess you will be my first guniea pig. Flrman1 has provided us with a scheme to follow and I will use that.

You will need to download and unzip the files below. Make a separate folder for them, preferably in My Documents:

http://forums.techguy.org/attachment...chmentid=44795
http://forums.techguy.org/attachment...chmentid=44794
http://www.downloads.subratam.org/KillBox.zip

Fully unzip all files to their own folders.

1 >> run "silentrunners.vbs". It will create a text file which you can upload as an attachment.

2 >> run "dllcompare.exe". Select "runlocate.com". Then select "compare". Once that is complete select "make log". You will also upload that as an attachment.

3 >> go to Start and run regedit.exe and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

> Select File > Export. Name it "notify" and save it to the desktop. Right click on it and select "edit". This will open it in Notepad. Copy/paste that to a reply.

Important: do NOT restart the computer after doing this as the files may change.

ihatepopups · 06-Dec-2004, 12:04 PM #7

Many.thanks.will.do.this.within.the.hour.and.report.back.

Appologies.for.the.period.marks,the.spacebar.on.this.PC.doesn't.work!(not.t he.PC.with.the.virii!)

Thanks.again,

iHATEpopups.

ihatepopups · 06-Dec-2004, 02:12 PM #8

"Silent Runners.vbs", revision 27, launched at: 19:04
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ProtoWall" = "C:\Program Files\dudez\protowall\ProtoWall.exe" [null data]
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"AVG_CC" = "C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP" ["GRISOFT s.r.o."]
"WinVNC" = ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper" ["RealVNC Ltd."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WinTools" = "C:\Program Files\Common Files\WinTools\WToolsA.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"WinTools" = "" [(file not found)]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\INF\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{87766247-311C-43B4-8499-3D5FEC94A183}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "RAinit.dll" ["3am Labs Ltd."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Telephony\DLLName" = "C:\WINDOWS\system32\d80m0id1e80.dll" [null data]

Startup items in "A1A" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wuauserv.dll" [MS]}
AVG6 Service, AvgServ, "C:\PROGRA~1\Grisoft\AVG6\avgserv.exe" ["GRISOFT s.r.o"]
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
FTP Publishing, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IIS Admin, IISADMIN, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dmserver.dll" ["Microsoft Corp."]}
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [null data]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

-------------------------------------------------------------------------

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\d80m0i~1.dll Sun 5 Dec 2004 21:57:56 ..S.R 225,515 220.23 K
C:\WINDOWS\SYSTEM32\didim.dll Mon 6 Dec 2004 1:16:58 ..S.R 225,515 220.23 K
C:\WINDOWS\SYSTEM32\msr.dll Sun 5 Dec 2004 20:17:46 ..S.R 224,086 218.83 K
C:\WINDOWS\SYSTEM32\nrhtml.dll Sun 5 Dec 2004 19:39:10 ..S.R 223,875 218.63 K
C:\WINDOWS\SYSTEM32\o4ro0e~1.dll Mon 6 Dec 2004 1:15:58 ..S.R 225,407 220.12 K
C:\WINDOWS\SYSTEM32\o6nslg~1.dll Sun 5 Dec 2004 20:01:38 ..S.R 223,232 218.00 K
________________________________________________

1,297 items found: 1,297 files (6 H/S), 0 directories.
Total of file sizes: 266,895,946 bytes 254.53 M

Administrator Account = True

AppInit_DLLs value = RAinit.dll (not hidden)
--------------------End log---------------------

--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,0 0,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,0 0,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,0 0,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,0 0,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\d80m0id1e80.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,0 0,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

Hope this is of some use!

iHATEpopups.

ihatepopups · 05:34 PM

Popups are becoming more frequent, computer rebooted itself and upon restart claimed there was a problem with winlogon.exe

*Edit* Now randomly restarting.

iHATEpopups.

**Rollin' Rog** · 06-Dec-2004, 06:09 PM **#10**

Ok, follow these directions. Have them printed or in a convenient notepad file

Run regedit and navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony

With "telephony" highligted, select File > Export. Name it "telephony" and save it to the desktop for now. Then right click on it in regedit and delete it.

Next, run the "killbox".

For each file below copy the full path to the "file to be deleted" field. Put a check in "end explorer shell" and "delete on reboot".

Press the "red X" after each has been entered -- but do not reboot. Instead repeat for each file until all have been entered. When the last one has been entered you may then confirm the prompt to reboot. Be prepared to do so by having all other programs closed.

C:\WINDOWS\SYSTEM32\d80m0i~1.dll
C:\WINDOWS\SYSTEM32\didim.dll
C:\WINDOWS\SYSTEM32\msr.dll
C:\WINDOWS\SYSTEM32\nrhtml.dll
C:\WINDOWS\SYSTEM32\o4ro0e~1.dll
C:\WINDOWS\SYSTEM32\o6nslg~1.dll

After rebooting run HijackThis and check and fix ALL entries EXCEPT those below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: RAinit.dll

^^ these are the ones you want to keep.

>> Install, UPDATE, and run a full Ad-Aware SE scan. Include the VX2 Plugin:

Ad-Aware Home Page

http://download.lavasoft.de.edgesuit...vx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

Post a new HiackThis scanlog.

Also, here is an "all in one" finder that I'd like you to run:

http://forums.techguy.org/attachment...chmentid=44854

Unzip and run "findit.bat". Give it a minute to complete. You may initially see a "file not found" in the cmd window. When it completes you should see a text file. Attach or copy/paste that here along with your new scanlog.

ihatepopups · 06-Dec-2004, 06:18 PM **#11**

Thanks for the reply, in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ I have crypt32chain, cryptnet, cscdll, IPConfTSP, SCCertProp, Schedule, sclgntfy, SensLogn, termsrv and wlballoon. No sign of telephony.. :s

iHATEpopups

ihatepopups · 08:26 PM

Proceeded as if the telephony comment had been deleted.

AdAware found 143 critical entries, clicked fix which crashed explorer. Got a message "these files could not be deleted do you want AdAware to delete them after next reboot?" I clicked no.

C:\Program Files\Common Files\WinTools\WToolsB.dll
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsB.dll
C:\Program Files\Common Files\WinTools\WToolsC.cfg
C:\Program Files\Common Files\WinTools\WToolsD.cfg
C:\Program Files\Common Files\WinTools\WToolsP.cfg
C:\Program Files\Common Files\WinTools\WinTools.exe

The VX2 plug in reported the system to be clean.

Current HijackThis scan:

Logfile of HijackThis v1.98.2
Scan saved at 00:00:02, on 07/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\A1A\LOCALS~1\Temp\Temporary Directory 63 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: RAinit.dll

FindIt Scan

arning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is 4C1F-D05A

Directory of C:\WINDOWS\System32

06/12/2004 23:25 222,898 odmanage.dll
06/12/2004 23:25 224,404 h60qlgd5160.dll
06/12/2004 22:31 222,898 en8ol1l31.dll
06/12/2004 22:21 222,923 enl4l13q1.dll
06/12/2004 21:01 225,515 hr6u05j9e.dll
09/11/2004 20:05 <DIR> dllcache
13/01/2004 21:25 <DIR> Microsoft
5 File(s) 1,118,638 bytes
2 Dir(s) 1,665,601,536 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is 4C1F-D05A

Directory of C:\WINDOWS\System32

09/11/2004 20:05 <DIR> dllcache
27/09/2004 20:28 23,148 Atmenuxx.GID
21/02/2004 15:34 4,212 zllictbl.dat
15/11/2003 19:32 488 WindowsLogon.manifest
15/11/2003 19:32 488 logonui.exe.manifest
15/11/2003 19:32 749 cdplayer.exe.manifest
15/11/2003 19:32 749 sapi.cpl.manifest
15/11/2003 19:32 749 wuaucpl.cpl.manifest
15/11/2003 19:32 749 nwc.cpl.manifest
15/11/2003 19:32 749 ncpa.cpl.manifest
9 File(s) 32,081 bytes
1 Dir(s) 1,665,597,440 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Local Disk
Volume Serial Number is 4C1F-D05A

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is Local Disk
Volume Serial Number is 4C1F-D05A

Directory of C:\WINDOWS\System32

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2CED1AD2-F618-4DFC-A3CE-96C169CE6535}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en8ol1l31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\EN8OL1~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
en8ol1~1.dll Mon 6 Dec 2004 22:31:22 ..S.R 222,898 217.67 K
enl4l1~1.dll Mon 6 Dec 2004 22:21:14 ..S.R 222,923 217.70 K
h60qlg~1.dll Mon 6 Dec 2004 23:25:12 ..S.R 224,404 219.14 K
hr6u05~1.dll Mon 6 Dec 2004 21:01:06 ..S.R 225,515 220.23 K
odmanage.dll Mon 6 Dec 2004 23:25:12 ..S.R 222,898 217.67 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,118,638 bytes 1.07 M

Kind regards,

iHATEpopups.

ihatepopups · 06-Dec-2004, 08:51 PM **#13**

AVG AV is reporting no infected files.

iHATEpopups.

**Rollin' Rog** · 09:55 PM

Didn't work and we have a new set of files to delete.

Print these instructions or save them in Notepad. Then disconnect from the net. If you are on broadband, unplug the modem and do not reconnect until you have completed the instructions and are ready to post again. Please do not reboot the computer until asked to do so.

1 >> Run killbox.exe again.

Each file below must be COPY/PASTED into the "file to be deleted path", one at a time. Do not try to type the paths manually. Make sure "Delete on Reboot" and "end explorer shell" are checked after each copy/paste. After each copy/paste click the X button, then copy/paste the new line and repeat until all are in there. Then, finally, confirm the prompt to reboot and have it do so.

C:\WINDOWS\SYSTEM32\en8ol1~1.dll
C:\WINDOWS\SYSTEM32\enl4l1~1.dll
C:\WINDOWS\SYSTEM32\h60qlg~1.dll
C:\WINDOWS\SYSTEM32\hr6u05~1.dll
C:\WINDOWS\SYSTEM32\odmanage.dll
C:\WINDOWS\System32\EN8OL1~1.DLL

2 >> After rebooting, run HijackThis and check and fix ALL EXCEPT these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: RAinit.dll

3 >> Run Ad-Aware SE again, and this time have it delete ALL files it wants to on a reboot.

4 >> Run HijackThis again and post the log.

5 >> Run "Findit.bat" again, and post that log as well.

llamabuff · 07-Dec-2004, 12:32 PM **#15**

Hey Rog, I was wondering if you could help me out with my redirected Hosts problems. I've been at it for over a week now trying to fix it, but nothing is working. I've downloaded and run every program they've linked me to. I'm completely stumped.

Here's my thread:
http://forums.techguy.org/showthread...6&page=2&pp=15

Thanks.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: